[sanesecurity] Re: MSRBL signatures

• From: Gary V <mr88talent@xxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Sun, 28 Nov 2010 13:48:07 -0700

On 11/28/10, Bill Landry wrote:
> On 11/28/2010 11:32 AM, Steve Basford wrote:
>> Hi All,
>>
>> Sanesecurity rsync mirrors are reporting constant pounding with sites
>> requesting MSRBL signature databases. Sanesecurity *does not distribute
>> these signature databases*.
>>
>> Please could you all check your script configurations and ensure that
>> MSRBL signatures aren't downloaded from the Sanesecurity mirrors (ie.
>> rsync.sanesecurity.net) and
>> are in fact downloaded from *rsync://rsync.mirror.msrbl.com/msrbl/
>>
>> *MSRBL signatures have been removed from most download scripts now, as
>> the MSRBL signatures haven't been updated in over a year (last update:
>> 2009/07/24).
>
> Thanks Steve!
>
> And to stress that this advice should not be ignored or taken lightly,
> some (possibly all) of the rsync mirror sites are blacklisting sites
> that constantly request MSRBL signature updates.  There are currently
> 368 sites that are being block by the rsync blacklist.  Once these sites
> remove the MSRBL requests from the download scripts and request
> delisting here on the Sanesecurity users list, they will once again have
> access to Sanesecurity signature updates.  Until then, they will have no
> access to any Sanesecurity signature updates.
>
> Please also note that Sanesecurity DOES NOT distribute SecuriteInfo
> signature databases, so DO NOT request those from the Sanesecurity rsync
> mirrors either, lest you also risk being added to the blacklist.  For
> example, this will potentially get you added to the blacklist:
>
> ==========
> rsync: link_stat "honeynet.hdb" (in sanesecurity) failed: No such file
> or directory
> rsync: link_stat "honeynet.hdb.sig" (in sanesecurity) failed: No such
> file or directory
> rsync: link_stat "securiteinfo.hdb" (in sanesecurity) failed: No such
> file or directory
> rsync: link_stat "securiteinfo.hdb.sig" (in sanesecurity) failed: No
> such file or directory
> rsync: link_stat "vx.hdb" (in sanesecurity) failed: No such file or
> directory
> rsync: link_stat "vx.hdb.sig" (in sanesecurity) failed: No such file or
> directory
> ==========
>
> These are NOT Sanesecurity distribute signature databases, download
> these signature database from the SecuriteInfo download site.
>
> I might also add that all script users should periodically check the
> output of their download script for errors.  We are also seeing requests
> like the following:
>
> ==========
> rsync: link_stat "#" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "#.sig" (in sanesecurity)failed: No such file or directory
> rsync: link_stat ":" (in sanesecurity)failed: No such file or directory
> rsync: link_stat ":.sig" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "MEDIUM" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "MEDIUM.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "false-positive" (in sanesecurity)failed: No such file
> or directory
> rsync: link_stat "false-positive.sig" (in sanesecurity)failed: No such
> file or directory
> rsync: link_stat "rating" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "rating.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "ONE" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "ONE.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "CONTAINS" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "CONTAINS.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "COMPLETE" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "COMPLETE.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "URL" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "URL.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "PATH" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "PATH.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "(MEDIUM" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "(MEDIUM.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "RISK)," (in sanesecurity)failed: No such file or directory
> rsync: link_stat "RISK),.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "AND" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "AND.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "THE" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "THE.sig" (in sanesecurity)failed: No such file or
> directory
> rsync: link_stat "OTHER" (in sanesecurity)failed: No such file or directory
> rsync: link_stat "OTHER.sig" (in sanesecurity)failed: No such file or
> directory
> ==========
>
> Caution, when using the clamav-unofficial-sigs download script, DO NOT
> PLACE ANYTHING BETWEEN THE QUOTE "" MARKS IN THE CONFIG FILE 'ss_dbs'
> DOWNLOAD SECTION EXCEPT VALID AND CORRECTLY SPELLED SANESECURITY
> SIGNATURE DATABASE NAMES.  For example, as shown in the default config
> entry for Sanesecurity signature downloads:
>
> ss_dbs="
>     junk.ndb
>     jurlbl.ndb
>     phish.ndb
>     rogue.hdb
>     sanesecurity.ftm
>     scam.ndb
>     spamimg.hdb
>     winnow_malware.hdb
>     winnow_malware_links.ndb
> "
> However, DO NOT do something like this:
>
> ss_dbs="
>     junk.ndb
>     jurlbl.ndb
> #   phish.ndb
>     rogue.hdb
>     sanesecurity.ftm
> #   scam.ndb
>     spamimg.hdb
>     winnow_malware.hdb
>     winnow_malware_links.ndb
> "
>
> Instead, if, for example, you do not want to use the phish and scam
> databases, remove them from between the quotes, as follows:
>
> ss_dbs="
>     junk.ndb
>     jurlbl.ndb
>     rogue.hdb
>     sanesecurity.ftm
>     spamimg.hdb
>     winnow_malware.hdb
>     winnow_malware_links.ndb
> "
>
> As commenting them within the quoted section will only cause you
> problems and annoy the Sanesecurity rsync mirror site operators and
> possibly get your site added to the blacklist.
>
> Ignore this advice at your own peril, and risk being blacklisted from
> any and all Sanesecurity signature database updates.
>
> Regards,
>
> Bill
>

In clamav-unofficial-sigs.conf it does state something like:

# Add or remove database file names between quote marks as needed.  To
# disable usage of any of the Sanesecurity distributed database files
# shown, remove the database file name from the quoted section below.
# To disable usage of all Sanesecurity distributed databases, comment
# all of the quoted lines below.

But it may not hurt to add "Do NOT comment out individual databases!"

-- 
Gary V

• Follow-Ups:
  • [sanesecurity] Re: MSRBL signatures
    • From: Bill Landry

• References:
  • [sanesecurity] MSRBL signatures
    • From: Steve Basford
  • [sanesecurity] Re: MSRBL signatures
    • From: Bill Landry

Other related posts:

• » [sanesecurity] MSRBL signatures- Steve Basford
• » [sanesecurity] Re: MSRBL signatures- Bill Landry
• » [sanesecurity] Re: MSRBL signatures - Gary V
• » [sanesecurity] Re: MSRBL signatures- Bill Landry

1. Home
2. sanesecurity
3. Archive
4. 11-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---